[150441] in North American Network Operators' Group
Re: do not filter your customers
daemon@ATHENA.MIT.EDU (Danny McPherson)
Thu Feb 23 21:01:42 2012
From: Danny McPherson <danny@tcb.net>
In-Reply-To: <m21upm82x1.wl%randy@psg.com>
Date: Thu, 23 Feb 2012 21:00:31 -0500
To: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 23, 2012, at 1:44 AM, Randy Bush wrote:
> a customer leaked a full table to smellstra, and they had not filtered.
> hence the $subject.
Ahh, this is I think the customer "leak" problem I'm trying to illustrate
that an RPKI/BGPSEC-enabled world alone (as currently prescribed)
does NOT protect against.
If it can happen by accident, it can certainly serve as smoke screen or
enable an actual targeted attack quite nicely by those so compelled.
> and things when further downhill from there, when telstra also did not
> filter what they announced to their peers, and the peers went over
> prefix limits and dropped bgp.
Prefix limits are rather binary and indiscriminate, indeed.
-danny
